Minor "query (cache) denied" Logging Bug?

Mark Andrews Mark_Andrews at isc.org
Thu Apr 2 01:25:29 UTC 2009 

In message <49D40CA4.70404 at chrysler.com>, Kevin Darcy writes:
> bsfinkel at anl.gov wrote:
> > I have a name server that is authoritative for the zone
> >
> >      tlh.fl.us.
> >
> > In that zone is a record
> >
> >      freenet.tlh.fl.us.  IN  CNAME   tfn.net.
> >
> > My server is not authoritative for tfn.net.
> >
> > Some external client sends a request:
> >
> >      What is the MX for freenet.tlh.fl.us.?
> >
> > My server responds (this is from a snoop trace):
> >
> >      DNS:  Response ID = 61546
> >      DNS:  AA (Authoritative Answer)
> >      DNS:  Response Code: 0 (OK)
> >      DNS:  Reply to 1 question(s)
> >      DNS:      Domain Name: freenet.tlh.fl.us.
> >      DNS:      Class: 1 (Internet)
> >      DNS:      Type:  15 (Mail Exchange)
> >      DNS:
> >      DNS:  1 answer(s)
> >      DNS:      Domain Name: freenet.tlh.fl.us.
> >      DNS:      Class: 1 (Internet)
> >      DNS:      Type:  5 (Canonical Name)
> >      DNS:      TTL (Time To Live): 86400
> >      DNS:      Canonical Name: tfn.net.
> >      DNS:
> >      DNS:  0 name server resource(s)
> >      DNS:  0 additional record(s)
> >
> > This is a correct answer.  Note that there are no authority nor
> > additional sections.  But I also see in /var/adm/messages:
> >
>      Apr  1 09:09:14 thor.it.anl.gov named[171]: [ID 873579 daemon.info]
> >        client 217.232.216.120#10000:
> >        query (cache) 'tfn.net/MX/IN' denied
> >
> > I assume that in the process of getting more information about
> >
> >      tfn.net
> >
> > to give the authority section and the additional section (this is from
> > an query I made to an internal BIND server, where queries are not
> > denied):
> >
> >      ;; AUTHORITY SECTION:
> >      tfn.net.                1d23h59m59s IN NS  ns92.worldnic.com.
> >      tfn.net.                1d23h59m59s IN NS  ns91.worldnic.com.
> >
> >      ;; ADDITIONAL SECTION:
> >      freenet.tfn.net.        2H IN A         199.44.235.10
> >      ns91.worldnic.com.      1d6h26m5s IN A  205.178.190.46
> >      ns92.worldnic.com.      1d6h26m5s IN A  205.178.144.46
> >
> > BIND 9.6.0-P1 determines that although it may have this information
> > about tfn.net in its cache, it cannot give the information to the
> > requester because I have not configured BIND to allow external users
> > to query the cache.  If BIND did not have the information about tfn.net
> > in its cache, would it go and retrieve the information and then
> > decide that it was unable to give the cached information to the
> > requester?
> >
> > Should the "query (cache) denied" message be produced?  We were
> > confused because we did not see any queries for tfn.net in the
> > named.querylog file, where we log all DNS queries.  I had to run a
> > snoop trace to see what was happening.
> >
> > In this case, should BIND give the information about tfn.net in its
> > cache back to the requester?
> >   
> Barry,
> It's not logging that message merely because it couldn't populate the 
> Authority and/or Additional Sections. It's logging that message because 
> freenet.tlh.fl.us is aliased to tfn.net. If access to the cache were 
> allowed, and the tfn.net MX record(s) were present in the cache, they 
> would be provided in the *Answer* Section of the response. I think it's 
> reasonable for BIND to log a "denied" message when omitting data that 
> would otherwise be in the Answer Section of a response. After all, BIND 
> is explicitly giving the client less information than they asked for. 
> That's a _bona_fide_ "denial". Omitting records from the Authority or 
> Additional Sections, which in most cases BIND is not obligated to 
> provide anyway, probably doesn't warrant a log message, except perhaps 
> at very detailed logging levels.
> 
> I suppose one might question whether BIND should log "denied" messages 
> for data that wouldn't have been provided anyway, because it was not in 
> authoritative data, or in the cache, and recursion was not requested 
> and/or not available But, as a general matter, if you're denying access 
> to the cache, wouldn't you want to know *unsuccessful* attempts to fetch 
> data from your cache, which might tip you off to DoS or "cache sniffing" 
> attempts?
> 
> Perhaps the denied attempts to fetch *non-existent* cache data could be 
> logged at a different level than the denied attempts to fetch existing 
> cache data, not sure if that would be a valuable feature or not...

For the listed senario the message should only be emitted if RD=1.

The following was done on a system with the following acl's that is
also authoritative for dv.isc.org.  cname.dv.isc.org is a test
CNAME record.  Named's syslog messages are being "tail -f"'d while
the test was in progress.

	allow-query-cache { 127.0.0.1; ::/1; };
	allow-recursion { 127.0.0.1; ::/1; };

Note the first query did not elicit a log message and the second query
did.  A direct query for ftp.uu.net results in REFUSED being returned
which is independent of RD.

The test was run against BIND 9.6.1b1.

Mark

drugs# dig cname.dv.isc.org @192.168.191.236 +norec

; <<>> DiG 9.3.6-P1 <<>> cname.dv.isc.org @192.168.191.236 +norec
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13081
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cname.dv.isc.org.              IN      A

;; ANSWER SECTION:
cname.dv.isc.org.       86400   IN      CNAME   ftp.uu.net.

;; Query time: 0 msec
;; SERVER: 192.168.191.236#53(192.168.191.236)
;; WHEN: Thu Apr  2 12:11:09 2009
;; MSG SIZE  rcvd: 58

drugs# dig cname.dv.isc.org @192.168.191.236
Apr  2 12:11:50 drugs named[896]: client 192.168.191.236#60255: view default: query (cache) 'ftp.uu.net/A/IN' denied

; <<>> DiG 9.3.6-P1 <<>> cname.dv.isc.org @192.168.191.236
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24655
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cname.dv.isc.org.              IN      A

;; ANSWER SECTION:
cname.dv.isc.org.       86400   IN      CNAME   ftp.uu.net.

;; Query time: 1 msec
;; SERVER: 192.168.191.236#53(192.168.191.236)
;; WHEN: Thu Apr  2 12:11:50 2009
;; MSG SIZE  rcvd: 58

drugs# dig ftp.uu.net @192.168.191.236 
Apr  2 12:20:47 drugs named[896]: client 192.168.191.236#58715: view default: query (cache) 'ftp.uu.net/A/IN' denied

; <<>> DiG 9.3.6-P1 <<>> ftp.uu.net @192.168.191.236
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 61980
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ftp.uu.net.                    IN      A

;; Query time: 0 msec
;; SERVER: 192.168.191.236#53(192.168.191.236)
;; WHEN: Thu Apr  2 12:20:47 2009
;; MSG SIZE  rcvd: 28

drugs# 
 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list